-1

I am trying to read in text from a text box and store it into my database. Security of my database is at first priority and special characters are second. At the moment users can use basic special characters (!@#...ect) but not greater than or less than(<>) or (☺☻♥).

This is what the code looks like at the moment. 

$temp = $tableName.".".$fieldName." = '".mysql_real_escape_string(strip_tags($fieldValue))."'";

when I put in < or > i receive blanks in my database. and when I put in or i receive ? as an input.

Any input on this would be nice. Thank you.

Guntis Treulands
  • 4,764
  • 2
  • 50
  • 72
Sari Rahal
  • 1,897
  • 2
  • 32
  • 53
  • Because strip_tags() does not actually validate the HTML, partial or broken tags can result in the removal of more text/data than expected. Quoted from [http://php.net/strip_tags](http://php.net/strip_tags) – zgr024 Mar 15 '13 at 20:40
  • mysql_* functions are deprecated. You should use be using mysqli or PDO – Cfreak Mar 15 '13 at 20:50

4 Answers4

3

It is not related to database, it is related to strip_tags() function which strips HTML and PHP tags from a string

Can Geliş
  • 1,454
  • 2
  • 10
  • 19
  • 1
    First part is right. The other characters are probably showing as `?` because the character set on the table doesn't support those characters – Cfreak Mar 15 '13 at 20:37
  • actually, it can be. m_r_e_s requires a live connection to the DB to operate, which means db settings CAN trash strings. – Marc B Mar 15 '13 at 20:38
1

when I put in '<' or '>' i receive blanks in my database.

That's what the strip_tags method does

and when I put in '☺' or '☻' i receive '?' as an input.

That's an encoding problem.

As for

Security of my database is at first priority

I suggest you migrate your code to prepared statements (mysqli or pdo).

Community
  • 1
  • 1
Sebas
  • 21,192
  • 9
  • 55
  • 109
0

Use htmlentities or htmlspecialchars instead of strip tags. Strip tags removes any HTML tags from the string. The two functions I mentioned convert the HTML tags into html entities (a textual representation of that character eg &lt;) which means they can be outputted on a page as text and not be parsed as HTML by the browser.

James Coyle
  • 9,922
  • 1
  • 40
  • 48
  • ok so now the code reads = '".mysql_real_escape_string(htmlentities($fieldValue))."'"; when i enter '<' or '>' it works properly however when i enter '☺'(alt + 1) i receive â?º – Sari Rahal Mar 15 '13 at 21:15
0

Thank you guys for your help. I found the issue. The code that I am editing was changing the special character code from '&' to %HEX for database reasons.

Sari Rahal
  • 1,897
  • 2
  • 32
  • 53